CloudFlare is a Content Delivery Network (CDN) and distributed Domain Name Server (DNS) service aimed at enhancing the performance and security of websites.  According to CloudFlare, on average, a website using their service will load twice as fast, use 60% less bandwidth and will stop malware bots and spammers reaching your website, making it way more secure.

CloudFlare was created in April 2009, launched in September 2010 and has rocketed to success since gaining significant media attention after providing security to LulzSec’s website.  The project was formed by Matthew Prince and Lee Holloway of Project Honey Pot fame and similarly, Cloudflare gets better as more people use it by pulling the knowledge of thousands of websites into a virtual fraud and abuse team.

So, how does it work?  It’s remarkably simply really; you change the DNS settings for your domain so that all user requests for your website are routed through CloudFlare’s global network of proxy servers that optimise the delivery of your web pages in a number of ways:

  • Static content is intelligently cached by CloudFlare and is served directly from whichever of their proxy servers are geographically closest to the visitor.
  • Requests originating from suspicious IP addresses (like those known to be part of a botnet or that have been used elsewhere for spam) are presented with a (customisable) web page that asks them to complete a Captcha test before their request is sent to your web server.
  • Requests for dynamic content that are deemed ‘safe’ are then passed to your web server, meaning that CloudFlare is compatible with pretty much anything and you don’t need to make any changes to your site to use the service.

The result is that your visitors should see a significant improvement in the performance of your website and you should have a lot less spam to deal with.  It sounds a little too good to be true, but the fact of the matter is that it works!

DNS Management

To use CloudFlare, the first step is to move over hosting of your DNS records to CloudFlare.  Technically speaking, you’re only changing the ‘NS’ records, so you’ll continue to use your existing domain registrar and web hosting provider.  Here at Liquidstate, we weren’t too sure about this to begin – after all, if CloudFlare’s DNS servers all go offline, then your website will be unreachable and any emails sent to you will bounce.  However, CloudFlare has a presence in 12 data centres globally and the web interface they provide for DNS management is far superior to many of the domain registrars!  More importantly, you retain control of your domain and your web hosting, meaning that you can disable CloudFlare without any input from them if you wanted to.

So, using the interface I can now manage a multitude of different record types (A, CNAME, MX, TXT, SPF, AAAA, NS, SRV, LOC) and apply individual TTLs from 5 minutes to 24 hours.  However, best of all, it looks nice!  To be honest, I’d say its worth using CloudFlare for DNS management alone, but that’s just the beginning of how they can improve your website!

Performance

CloudFlare is a Content Delivery Network (CDN) containing copies of static content strategically located to provide increased bandwidth and redundancy whilst reducing access latency.  CloudFlare’s network currently has 12 locations (San Jose, Los Angeles, Chicago, Washington DC, New Jersey, Dallas, Amsterdam, Paris, Frankfurt, Hong Kong, Singapore and Tokyo) with new data centres planned in London and Miami.

  • CloudFlare will cache static content with the following file extensions: css, js, jpg, jpeg, gif, ico, png, bmp, pict, csv, doc, pdf, pls, ppt, tif, tiff, eps, swf, midi, mid, ttf, eot, woff, svg and svgz.
  • CloudFlare ensures that the static content they have cached is additionally cached by the users’ browser wherever possible.  You can change how long data should remain on visitors’ computers in the CloudFlare control panel, but the default is 4 hours.
  • CloudFlare’s global network allows them to route traffic over preferred network routes that are often more efficient than what a request would normally take.
  • For sites that get a lot of traffic, CloudFlare can keep a connection open between the origin server and the CloudFlare proxy which ensures a more stable and performant route.
  • CloudFlare's servers are optimised for a very high level of lossless compression so even for dynamic pages the content can be compressed (and therefore delivered more quickly) than the typical GZIP settings most people implement on their web servers.
  • CloudFlare can modify even dynamic content on the fly to optimise it for the particular device accessing the page.  “Auto Minify” can be enabled to reduce the size of dynamic HTML, CSS and JavaScript on the fly to eliminate comments and whitespace, reducing the amount of data that the client browser must download.
  • The new “Rocket Loader” feature can more aggressively rewrite the way resources on a page are delivered to ensure the maximum performance for the particular device accessing the site.

Security

CloudFlare is a broad security solution that is designed to provide protection from exploits, botnet zombies, email haversters, web spammers and badly behaved web crawlers.  When a visitor is suspected of suspicious behaviour they are presented with a (customisable) challenge page that asks that they complete a simple Captcha test to prove that they are human.

CloudFlare uses a variety of data sources to identify which visitors to challenge. Specifically, CloudFlare leverages threat data from Project Honey Pot and a variety of other third-party sources to identify online threats. In addition, CloudFlare uses the collective intelligence of the websites on its system to identify new threats that arise. So if a new threat is identified on one site, CloudFlare can automatically protect the rest of the CloudFlare community.  Of course, you can also manually choose to blacklist or whitelist visitors by IP address or country.

In addition to the benefits of perimeter security, CloudFlare offer a number of services that can modify the contents of your website on the fly to improve their security.  For example, CloudFlare can automatically scramble e-mail addresses on your web pages, thwarting bots from discovering and spamming them, while keeping them visible to humans by on-the-fly injecting some Javascript decode routines.

If you’re willing to subscribe to a “Pro” subscription, you will gain access to a number of advanced security features including their “Web Application Firewall” service that provides real time protection against automated attacks, SQL injection, XSS javascript injection and a host of other nasties.

Availability

If CloudFlare cant connect to your web server, they will display a "Website Currently Unavailable" message to your visitors.  However, if you enable the “Always Online” feature, CloudFlare will attempt to keep some your site online using whatever site elements they have available in their cache.  The feature works by caching the results of search engine crawl traffic, so the longer you use CloudFlare, the more of a cache they will have to display.  CloudFlare continually check for your site to come back online and once it does, they switch back to the live version.